telnet: handle single-byte input option

Coverity CID 1638753 correctly identies this code misbehaved if the
passed in suboption is exactly one byte long by substracting two from
the unsigned size_t variable.

Closes #15987

diff --git a/lib/telnet.c b/lib/telnet.c
index 64d552d1592b18c93847a67b6055419ad3a92a5f..4a7f6d060d3821f91a624683a7c86a5be9104c10 100644 (file)
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -695,7 +695,10 @@ static void printsub(struct Curl_easy *data,
           infof(data, ", not IAC SE) ");
         }
       }
-      length -= 2;
+      if(length >= 2)
+        length -= 2;
+      else /* bad input */
+        return;
     }
     if(length < 1) {
       infof(data, "(Empty suboption?)");